CN114257433A - Ethernet channel gate - Google Patents
Ethernet channel gate Download PDFInfo
- Publication number
- CN114257433A CN114257433A CN202111527117.1A CN202111527117A CN114257433A CN 114257433 A CN114257433 A CN 114257433A CN 202111527117 A CN202111527117 A CN 202111527117A CN 114257433 A CN114257433 A CN 114257433A
- Authority
- CN
- China
- Prior art keywords
- gate
- ethernet
- node
- channel
- unidirectional
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007175 bidirectional communication Effects 0.000 claims abstract description 7
- 238000001914 filtration Methods 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 238000002955 isolation Methods 0.000 description 5
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000006854 communication Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Abstract
The Ethernet channel gate (C1 in figure 3) of the present invention is composed of an Ethernet channel and a one-way gate, and separates the gates in two directions in a common network gate, wherein the right gate moves to the left, and the left gate moves to the right, so as to form two mutually independent and symmetrical one-way gates. The unidirectional gate in C1 appears only on the outward path of the a node and the inward path of the B node, the other path in the opposite direction goes directly through C1 without any electrical connection to the unidirectional gate, and the nodes no longer exist, i.e.: c1 does not constitute nor contain a network node, and C1 has neither a MAC address nor any protocol address and cannot be directly accessed. The C1 has no bidirectional communication capability with any node on both sides, the necessary condition that the C1 can be broken is no longer satisfied, the node on the B side cannot perform any control on the C1, and the node on the a side can only perform open-loop control on the C1 at most, so that the self safety is increased suddenly. Can be used singly or in pairs to form a system which can not be broken or is difficult to be broken.
Description
The application is a divisional application, and the original application information is as follows:
application date: year 2019, month 07, day 05
Application No.: 201910603098.2
The invention creates the name: unidirectional Ethernet gate
One, the technical field
The invention belongs to the field of computer network and information security, and particularly relates to the special field of security isolation of a network, reliable data transmission and self security of network security equipment.
Second, background Art
With the emphasis on network and information security, more and more network and information security products appear on the market, and no matter the products appear in a pure software mode or a mode of combining software and hardware, the products face a common pain point under the severe situation of one rule at high height and one magic height: this is the security of the security product itself. When a network and information security product is broken, all the declared security protection functions are changed into 'Uyou'.
Safe isolation and reliable transmission are two conflicting concepts, the safest isolation being too physically disconnected, i.e. there is no connection between the two nodes A, B, in which case there is no possibility of any transmission between A, B; reliable transmission is usually achieved by two-way communication even if the transmission itself is unidirectional, since feedback is needed to achieve reliable transmission, but isolation between A, B is problematic.
Third, the invention
The invention aims to solve the technical problem of how to realize the safety of isolation and the reliability of transmission and overcome the potential safety hazard of the existing network safety equipment. When we install A, B a common gatekeeper between two nodes, it forms a new network node C, which not only has a physical address such as MAC (two-layer network node feature), but also is often configured with a protocol address such as IP (three-layer network node feature), and the user can also directly access it through MAC/IP address. It is called a "gatekeeper" because it filters/relays network traffic, like a "gate," as shown by the dashed lines in fig. 1. It is known that, within node C, there are two gates at the same time: one is a gate for receiving upper left and lower right transmission (called right gate for short), and the other is a gate for receiving upper right and lower left transmission (called left gate for short). C has two ports (ports), C maintains full bidirectional communication capability with a through the port on the left, C also maintains full bidirectional communication capability with B through the port on the right, so a and B both have full bidirectional communication capability with C, which is a necessary condition for C to be able to break. The invention separates the two directional gates in C, the right gate moves to the left, the left gate moves to the right, and two independent and symmetrical one-way gates C1 and C2 are formed, as shown in figure 2. We only discuss C1, as shown in fig. 3, it can be seen from fig. 3 that the unidirectional gate in C1 only appears on the outward path of the a node and the inward path of the B node, and the other path in the opposite direction directly passes through C1 without any electrical connection with the unidirectional gate, so that the originally symmetrical path presents an asymmetrical structure in C1, and the node no longer exists, that is: c1 does not constitute nor contain a network node, and C1 has neither a MAC address nor any protocol address and cannot be directly accessed. The C1 has no bidirectional communication capability with any node on both sides, the necessary condition that the C1 can be broken is no longer satisfied, the node on the B side cannot perform any control on the C1, and the node on the a side can only perform open-loop control on the C1 at most, so that the safety of the gate itself rises suddenly. In practical application, on one hand, a key, a common switch or a DIP dial switch can be arranged in an ethernet channel gate to set and adjust the functions of the ethernet channel gate, so that the ethernet channel gate is suitable for different safety requirements, is convenient to use, and particularly changes the filtering function into full filtering, namely discards all packets to form a (logic) unidirectional ethernet bridge or changes the filtering function into full cancellation, namely all packets pass through to form a (bidirectional) ethernet bridge; on the other hand, the ethernet channel gate can be used alone, as shown in fig. 4, or can be used in pairs by connecting the crossed network cables in reverse and in series, as shown in fig. 5, to form a system that is not or difficult to be breached, and it should be noted that: in the scenario shown in fig. 4, if the PC1 and the router are removed, the system formed by the PC2 and the PC3 is not substantially different from that shown in fig. 5, but two ethernet channel gates are connected together through a switch.
The present invention does not relate to layer two network technologies other than ethernet, and 100BASE-TX is used herein for descriptive convenience only, and other forms of ethernet may be used in practice.
Description of the drawings
Fig. 1 is a structure diagram of a "gate" of a common gatekeeper in a 100BASE-TX ethernet environment, in which C integrates a bidirectional filtering function and has bidirectional communication capability with both ends a and B.
Fig. 2 is a schematic diagram of the ethernet gateway of the present invention in a 100BASE-TX ethernet environment, in which C1 and C2 are identical, and both perform filtering in only one direction when two directions originally exist, and this structure makes the present invention substantially different from the prior art.
FIG. 3 is a diagram of the internal structure of the Ethernet channel gate C1 and its connection relationship with the nodes A, B at both ends in the 100BASE-TX Ethernet environment, where the channel from B to A only passes through C1 and has no electrical connection with the one-way gate in C1; the number in parentheses in fig. 1, 2 and 3 is the pin number of the twisted pair in the corresponding RJ45 socket in a 100BASE-TX ethernet environment.
Fig. 4 is an application scenario diagram of the ethernet gateway of the present invention used alone.
Fig. 5 is a diagram of an application scenario in which an ethernet gateway employs cross-over network lines in pairs, where attention is paid to: the two single use scenarios of fig. 4 may also result in the pair-wise use effect shown in fig. 5. The 100BASE-TX is mentioned in the figures for descriptive convenience only, and other forms of ethernet may be used in practice. ECGx (Ethernet Channel Gate, x is a numerical value) in fig. 4 and 5 represents the Ethernet Channel Gate of the present invention. In fig. 4, the ethernet channel gate is not installed in the PC1, and the ethernet channel gates are installed between the PC2, the PC3 and the SWITCH. Still taking 100BASE-TX ethernet as an example for explanation, in the connection of PC1, PC1 is connected to SWITCH via a straight-through (straight-through) network line, in which there exists both a PC1 → SWITCH channel (1, 2 pairs of lines) and a SWITCH → PC1 channel (3, 6 pairs of lines), so that PC1 can transmit packets to SWITCH, SWITCH and PC 1. In the connection of the PC2, physical connection of an ethernet gateway is shown, and it can be seen that the connection mode of the ethernet gateway is completely the same as that of network devices such as firewalls; in the connection of PC3, we further show the logical connection of the ethernet channel gate. It can be seen that the ethernet channel gate is connected to the outbound channel of PCx (x is a numerical value), and the basic principle is to selectively relay the outbound frame (frame), and the ethernet channel gate can have parameters such as access control list, and keys, normal switches or DIP switches inside.
Fifth, detailed description of the invention
The specific implementation mode is shown in the attached figures 4 and 5. Fig. 4 is a scenario in which the ethernet gateway is used alone, and fig. 5 is a scenario in which the ethernet gateway is used in pair, and either alone or in pair is completed by using an IP protocol whose protocol is 1 when access control is required to be performed on the ethernet gateway.
Claims (4)
1. An ethernet channel gate (C1 in fig. 3) comprising an ethernet channel and a unidirectional gate, characterized in that: (1) the unidirectional gate is arranged on one channel of the Ethernet, and the other channel in the opposite direction directly passes through the gate (C1 in figure 3) without any electric connection with the unidirectional gate, so that the originally symmetrical channel presents an asymmetrical structure in the gate (C1 in figure 3); (2) the network node is not formed, the network node is not included, the network node and any nodes on two sides do not have bidirectional communication capability, the necessary condition that the network node can be broken is not satisfied, the node (B in the figure 3) on one side can not carry out any control on the brake (C1 in the figure 3), the node (A in the figure 3) on the other side can only carry out open-loop control on the brake (C1 in the figure 3) at most, and the self safety is increased suddenly.
2. The ethernet channel gate of claim 1, wherein the functions are selectively set and adjusted by a button, a normal switch or a DIP dial switch.
3. Changing the filtering function of the ethernet tunnel gate of claim 1 to full filtering, i.e. discarding all packets, forming a (logical) unidirectional ethernet bridge.
4. Two ethernet channel gates according to claim 1 are connected in reverse by means of cross-wires or switches to form a (bi-directional) ethernet gate with filtering in both directions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111527117.1A CN114257433A (en) | 2019-07-05 | 2019-07-05 | Ethernet channel gate |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111527117.1A CN114257433A (en) | 2019-07-05 | 2019-07-05 | Ethernet channel gate |
| CN201910603098.2A CN110365669A (en) | 2019-07-05 | 2019-07-05 | Unidirectional ether gateway |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910603098.2A Division CN110365669A (en) | 2019-07-05 | 2019-07-05 | Unidirectional ether gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114257433A true CN114257433A (en) | 2022-03-29 |
Family
ID=68218270
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910603098.2A Pending CN110365669A (en) | 2019-07-05 | 2019-07-05 | Unidirectional ether gateway |
| CN202111527117.1A Pending CN114257433A (en) | 2019-07-05 | 2019-07-05 | Ethernet channel gate |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910603098.2A Pending CN110365669A (en) | 2019-07-05 | 2019-07-05 | Unidirectional ether gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN110365669A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101888284A (en) * | 2010-07-08 | 2010-11-17 | 中国科学院高能物理研究所 | Method and device used for one-way transmission of data |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN106533877A (en) * | 2015-12-17 | 2017-03-22 | 郭爱波 | One-way transmission ring of Ethernet |
| WO2018115359A1 (en) * | 2016-12-22 | 2018-06-28 | Airbus Defence And Space Sas | Unidirectional communication system and method |
| CN108777681A (en) * | 2018-05-29 | 2018-11-09 | 中国人民解放军91977部队 | Network data unidirectional transmission control method based on NDIS filtration drives |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325565B (en) * | 2008-07-30 | 2010-12-01 | 北京华电天仁电力控制技术有限公司 | Unidirection insulation network brake with protocol conversion function |
| CN102202055A (en) * | 2011-04-28 | 2011-09-28 | 广州汇智通信技术有限公司 | Isolation gateway |
| CN108933774A (en) * | 2018-05-04 | 2018-12-04 | 北京明朝万达科技股份有限公司 | Data interaction system and method |
-
2019
- 2019-07-05 CN CN201910603098.2A patent/CN110365669A/en active Pending
- 2019-07-05 CN CN202111527117.1A patent/CN114257433A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101888284A (en) * | 2010-07-08 | 2010-11-17 | 中国科学院高能物理研究所 | Method and device used for one-way transmission of data |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN106533877A (en) * | 2015-12-17 | 2017-03-22 | 郭爱波 | One-way transmission ring of Ethernet |
| WO2018115359A1 (en) * | 2016-12-22 | 2018-06-28 | Airbus Defence And Space Sas | Unidirectional communication system and method |
| CN108777681A (en) * | 2018-05-29 | 2018-11-09 | 中国人民解放军91977部队 | Network data unidirectional transmission control method based on NDIS filtration drives |
Non-Patent Citations (1)
| Title |
|---|
| 高欢;: "浅谈单向物理隔离网闸系统", 科技经济市场, no. 12, 15 December 2007 (2007-12-15) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110365669A (en) | 2019-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1062787B1 (en) | Local network, especially ethernet network, with redundancy properties and redundancy manager | |
| US8724519B2 (en) | Technique for dual homing interconnection between communication networks | |
| EP1476988B1 (en) | Local network, particularly ethernet network having redundancy properties, and redundancy manager for such a network | |
| EP2557734B1 (en) | A method and apparatus for providing an uplink over an access ring | |
| CN102546592B (en) | Intelligent electric device and network system including the device | |
| US8891546B1 (en) | Protocol splitter | |
| EP1869837A1 (en) | Breakdown and decoupling tolerant communications network, a data path switching device and a corresponding method | |
| WO2008065087A2 (en) | Communication system having a master/slave structure | |
| WO2019109177A1 (en) | Multiple rstp domain separation | |
| US8565072B2 (en) | Method and a system for preventing a network storm from presenting in a multi-ring ethernet | |
| CN108900415A (en) | Master-slave equipment switching method and system under fault of M L AG interface | |
| CN100426794C (en) | Method for processing data stream between different fire-proof walls | |
| CN114553509A (en) | Information internal and external network video conference intercommunication system and method based on isolation device | |
| CN110601947A (en) | Communication method and system based on ring network and link aggregation | |
| CN114257433A (en) | Ethernet channel gate | |
| CN102546265B (en) | Fault processing method, device and system for virtual private local area network | |
| US7706527B2 (en) | Interruption device for a data communication line | |
| US5087911A (en) | Data communication network | |
| CN110247835B (en) | Industrial switch ring network with dual redundancy protection function | |
| EP1645098B1 (en) | Mechanism and coupling device, so-called secure switch, for securing a data access | |
| CN114915459A (en) | Ethernet one-way transmission ring | |
| CN112218269B (en) | Train information security gateway system, data transmission method and locomotive | |
| EP1496666A1 (en) | Tunnel proxy for protecting data access | |
| CN104580149B (en) | A kind of active/standby mode network physical link is met an urgent need intelligent switching system | |
| Dolezilek et al. | Modern Ethernet Failure Recovery Methods for Teleprotection and High-Speed Automation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |